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REAL PARTV IN INTEREST 

The real party in interest in this appeal is the following party: International Business 
Machines CorporatioiL 
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JXVl ATED APPEALS AND INT ERFERENCES 

With respect to other appeals or interferences that will directly aflfect. or be directly affected 
by, or have a bearing on the Board's decision in the pending appeal, there are no such appeals or 
interferences. 
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fiTATITS QE CLAIMS 
A. TOTAL NUMBER OF CLAIMS IN APPLICATION 

Claims in the application arc: 1-21 

STATUS OF ALL THE CLAIMS IN APPLICATION 

1. Claims canceled: NONE 

2. Claims withdrawn from conaideration but not canceled; NONE 

3. Claims pending: 1-21 

4. Claims allowed: NONE' 
3. Claims rejected: 1-21 

6. Claims obj ected to: NONE 

C. CLAIMS ON APPEAL 

The claims on appeal are; 1-21 
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STATUS OF AMENDMENTS 
There are no amendments after final rejection. 
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Sl^ TMMARY QF I^T.ATMED S TTRTECT MATTER 

A. CLAIMS 1, 8 and 15 - EVDEPENDENT 

Independent claims 1. 8, and 15 of the present invention are directed to a method, a 
computer program product, and a data processing system for reporting security situations, 
comprising the steps of logging events by storing event attributes as an event set, wherein each 
event set includes a source attribute, a target attribute and an event category attribute; classifying 
events as groups by aggregating events with at least one attribute within the event set as an 
identical value; calculating severity levels for the groups, wherein a severity level for a group is 
a function of a number of events comprising the group and values of common elements in the 
group; and reporting a group from the groups to a user as a situation, if a severity level of the 
group exceeds a threshold value, (Specification page 16, Unes 15-28, Figure 9, and page 12, line 
29 to page 13, line?). 

CLAIMS 2, 9 and 16 - DEPENDENT 

Dependent claims 2, 9, and 16 of the present invention arc directed to a method, a 
computer program product, and a data processing system wherein the severity levels are 
calculated based on at least one of the number of event sets within each of the groups, the source 
attribute of the event sets within each of the groups, the target attribute of the event sets within 
each of the groups* and the event category attribute of the event sets within each of the groups.. 
(Specification page 12, line 24 to page 13, line 32). 

C. CLAIMS 4, 11 and 18 - DEPENDENT 

Dependent claims 4, 1 1 , and 18 of the present invention are directed to a method, a 
computer program product, and a data processing system which further comprise calculating the 
threshold value based on at least one of the source attribute of the event sets within the group, 
the target attribute of the event sets within the group, the event category attribute in each event 
set of the group, and the number of attributes in each event set of ±e group that are held constant 
across all of the event sets in the group. (Specification page 13. lines 8-32). 



(Appeal Brief Page ^ of 23) 
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CLAIMS 7, 14 and 21 - DEPENDENT 

Depcadent claims 7, 14, and 21 of the present invention are directed to a method, a 
computer program product, and a data processing system which further comprise aggregating a 
subset of the groups into a combined group. (Specification page 14, lines 7-28). 
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A. GROUT<n> OF REJECTION 1 (Claims 1-21) 

Claims 1-21 stand rejected under 32 U.S.C. § 103 as obvious in view of Farley et al. (U.S. 
Patent App. 2002/0078381) and Drake et al. (U.S. Patent No. 6,347,374). 

B. GROUKD OF REJECTION 2 (Claims 4, 7, 11, 14, 18, and 21) 

Claims 4, 7, 11, 14, 18,and21 stand rejected iinder 35 U.S.C, § 103 as obvious in view of 
Farley et al. (U.S. Patent App. 2002/0078381), IJrake et al. (U.S. Patent No. 6,347.374.), and 
Burrows etal. (U.S. Patent No. 2002/0073338). 
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ARGUMENT 



A, GROUPS) or REJECTION 1 (Claims 1-21) 
A.l. 35 U.S.Q S 103. Obviousness. Claims 1-21 

The Final Office Action rejects claims 1-21 under 35 U.S.C, § 102(e) as being obvious in 
view of Farley (U,S, Patent App. 2002/0078381) (hereinafter ''Farle/') and Drake (U.S. Patent 
No. 6,347,374) (hereinafter "Drake"). This rejection is respectfully traversed. 

As to claims 1, 8, and 15, the Final Office Action states: 

As per claims 1, 8, and 15, E>rake teaches a method in a data processing 
system for reporting security situations, comprising the steps of: 

logging events by storing event attributes a« an event set, wherein each 
event set includes a source attribute, a target attribute and an event category 
attribute (iParley see example, Para [0019] Line 1-3 and Para [0019] Line 12 - 17: 
SRC / DEST / EVENT TYPE as the event attribute parameters); 

Farley teaches classifying and correlating the raw events (Farley, Para 
[0019] Line 1 - 3). However. Farley does not disclose expressly classifying events 
as groups by aggregating events with at least one attribute within the event set as 
an identical value- 
Drake teaches classifying events as groups by aggregating events with at 
least one attribute within tfie event set as an identical value (Drake> see example, 
Column 1 1 Line 38 - 50 and Column 14 Line 18-21: Drake teaches aggregating 
the correlated raw events into event groups with at least one attribute within the 
event set as an identical value such as (a) same user ID, or (b) same group type as 
^^authentication failure** to generate an alert of severity situations). 

calculating severity levels for the groups, wherein, a severity level for a 
group is a function of a number of events comprising the group and values of 
common elements in the group (Drake, see example, Column 12 Line 29 - 30, 
Column 1 1 Line 38 -50 and Column 14 Line 18 - 21 : the "authentication failure*' 
is qxialifled to meet the severity level as an event caused by the failures of a user 
login). 

reporting a group from the groups to a user as a situation, if a severity 
level of the group exceeds a threshold value (I^rake, see example, Column 1 1 
Line 38 - 50 and Column 14 Line 18-21: the "audientication feilure** is qualified 
to meet the severity level as an event caused by the feilures of a user login when 
the aggregating events exceed the predetermined number (i.e., threshold = 3) as 
taught by Drake). 

It would have been obvious to a person of ordinary skill in the art at the 
time the invention was made to combine the teaching of Drake within the system 
of Farley because (a) Farley teaches classifying and correlating raw events by 
providing a security management system in a networked computer system 

(Appeal Brief Page 9 of 23) 
Black et 81.-09/931,301 
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(Farley, Para [0019] Line 1 - 3 and Para [0016]) and (b) Drake teaches improving 
network security by providing an effective event detecting systems (Drake, see 
example. Column 2 Line 4-8 and Colimm 3 Line 34 - 35). 

Office Action dated January 24, 2006, pages 3-4. 

The Examiner bears the burden of establishing a prima facie case of obviousness based 
on the prior art when rejecting claims under 35 U.S.C. § 103. In re Fritch, 972 F.2d 1260, 23 
U.S*P.Q.2d 1780 (Ped. Cir, 1992). To establish a/?nww2/&cie case of obviousness, the Examiner 
must show some suggestion or motivation to combine or modify reference teachings, show a 
reasonable expectation of sruccess, and show that the cited references teach or suggest all of the 
claim limitations, MPEP § 706.02G). 

Independent claim 1, which is representative of independent claims 8 and IS with regard 
to similarly recited subject matter, reads as follows: 

1. A method in a data processing system for reporting security situations, 
comprising the steps of: 

logging events by storing event attributes as an event set, wherein each 
event set includes a source attribute, a target attribute and an event category 
attribute; 

classifying events as groups by aggregating events with at least one 
attribute within the event set as an identical value; 

calculating severity levels for the groups, wherein a severity level for a 
group is a function of a number of events comprising the group and values of 
common elements in the group; and 

reporting a group ftom the groups to a user as a situation^ if a severity level of the 
group exceeds a threshold value* 



The Examiner states that Farley does not teach classifying events as groups by 
aggregating events with at least one attribute within the event set as an identical value. As 
Farley does not teach or suggest classifying events a groups, Farley does not teach or suggest 
calculating severity levels for the groups, wherem a severity level for a group is a function of a 
number of events comprising the group and values of common elements in the group, nor docs 
the Examiner allege that any section of Farley does so. 

Drake does not cure the deficiencies of Farley. The Examiner alleges that Drake teaches 
calculating a severity level for the groups, wherein a severity level for a group is a function of a 
number of events comprising the group and values of common elements in the group, in the 



(Appeal Brief Page 1 0 of 23) 
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following cited passages below: 

Information such as the event detection system event number and severity level 
are derived by this method. 

Drake, col 12, lines 29-30. 

In the present embodiment, there are six, standard^ defined severity levels, one of 
which is assigned to each Virtual Record. 



Level 


Meaninc 


0 


Irrelevant or undefined 


1 


Potentially significant event 


2 


Interesting event 


3 


Significant event 


4 


warning 


5 


Alert 



Drake^ col. 11, lines 38-50. 

For example, consider a set of rules that generates an alert on three failed logins. 
The rules for this alert are "three failed logins, by a user, at a platform, without an 
intervening successful login or system restart"* 

Drake^col. 14, lines 18-21. 

The first passage above discloses that a rules-based processing method applied to an 
event record when the record is inserted into the database is used to derive an event detection 
systena event number and severity level The second passage discloses the various severity 
levels, such as irrelevant, potentially significant, interesting, significant, warning, and alert, and 
that each record is assigned one of the severity levels* The third passage discloses a rules-based 
alert which generates an alert based on three failed logins by a user. 

However, the passages above do not teach or suggest calculating severity levels for the 
groups, wherein a severity level for a group is a function of a number of events comprising the 
group and values of common elements in the group. The passages merely disclose the use of 
assigning a severity level to a record, and that the rules-based alert may be used to generate an 
alert upon the failure of a user^s 3*^ login attempt. There is no discussion in Drake of calculating 
a severity level for a group of events as recited in the claimed invention. The Examiner alleges 
that "authentication failure" is qualified to meet the severity level as an event by the failures of a 

(Appeal Brief Page 11 of 23) 
Black ctal.- 09/93! 301 
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user login. However, detemining whether an alert shotild be generated based on multiple 
unsuccessful logins is not the same as calculating a severity level for a group of events. Rather, 
as shown above in coluimi 11, lines 38-50 and column 12, lines 28-30, Drake does not teach 
assigning severity levels to groups of events, but rather Drake explicitly teaches that one severity 
level is assigned to each Virtual Record. As disclosed in colunm 6, lines 6-8, Drake teaches that 
a Virtual Record is a "standardized flat representation of an event in a normalized format", 
Thufij even though Drate derives security levels, these levels are derived for each Virtual 
Record, which represent a single event, rather than a group of events as recited in claim 1 , 
Drake does not mention that there is a severity level calculated for the group itself. Instead, 
Drake discloses an alert is generated if a specific number of the same event occurs (e,g., 3 failed 
logins by a particular user). 

Furthermore, the passages above also do not teach or suggest that the severity level for a 
group is a function of a number of events comprising the group and values of common elements 
in the group. Thus, the common elements ha the group have values which are used to calculate 
the severity level of the group, Drake docs not mention a severity level calculated for the group 
itself and that the severity level of the calculated group is based on common elements in the 
group, Drake merely discloses that an alert is generated based on the occurrence of a specific 
number events (e.g,, 3 failed logins). 

Thus, while Drake may use a derive and assign severity levels to individual records to the 
database tables, Drake does not teach or suggest anything about calculating a severity level for a 
group of events, nor does Drake teach or suggest that the calculated group severity level is based 
on a number of events comprising the group and values of common elements in the group. Even 
if the missing elements of the rejected claimis existed in the prior art» for the rejected claims to be 
obvious there must be some motivation or incentive from the prior art to modify or combine the 
reference teachings to achieve the present invention. The Examiner does not provide any 
motivation from either reference that making all the necessary modifications to the reference 
teachings to achieve the present invention would be desirable. If the Examiner cannot make 
such a showing, then the Examiner has simply relied on hindsight vdth the benefit of Applicants' 
disclosure to develop an incentive for the changes, which in fact, would not be obvious to one of 
ordinary skill in the art at the time the invention was made. 

(Appeal Brief Page 12 cf 23) 
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In view of the above, Applicants submit that independent claims 1 , 8> and 1 5 are not 
taught or Sfuggested by the alleged combination of Farley and Drake. At least by virtue of their 
dependency on claims 1 , 8, and IS, respectively, Farley and Drake also do not teach or suggest 
the features in dependent claims 2-7, 9-14, and 16-21. 

Furthermore, claims 2-7 > 9-14. and 1 6-21 recite additional subject matter not suggested 
by the Farley and Drake references. For instance, claims 2, 9, and 16 recite severity levels are 
calculated based on at least one of the number of event sets within each of the groups^ the source 
attribute of the event sets within each of the groups^ the target attribute of the event sets within 
each of the groups, and the event category attribute of the event sets within each of the groups. 
As discussed in the response to the rejection of claims 1. 8, and 15 above, the features of 
calculating severity levels for an event group in these claims are neither taught nor suggested by 
Farley or Drake. 

Accordinglyj Applicants respectfully request withdrawal of the rejection of claims 1-21 
under 35 U.S.C. §103. 

B. GROUND OF REJECTION 2 (Claims 4, 7, 1 1, 14, 18, and 21) 
35 S 103- ObvtimsneM. Claims 4, 7, 11- 14. 18, and 21 

The Final Office Action rejects claims 4, 7» 11, 14, 18, and 21 under 35 U.S,C, § 103 as 
being obvious in view of Farley (U.S. Patent App. 2002/0078381) (hereinafter ''Farley'"), Drake 
(U.S. Patent No. 6,347,374) (hereinafter ""Drake"*\ and Burrows et al, (U.S, Patent No. 
2002/0073338) (hereinafter ''Bxtrrows''). (While the Examiner specifies in the Final Office 
Action ihiai Farley teaches the features in dependent claims 4, 7^ 11» 14» 18, and 21, the Examiner 
does not actually cite to or point out any section ot Farley as teaching these claims* Instead, the 
Examiner cites to Burrows as teaching the limitations in claims 4, 7, 1 1, 14, 18, and 21.) This 
rejection is respectfully traversed. 

Claims 4, 7, 1 1, 14, IS, and 21 are dependent claims depending from claim 1, 8, and 15, 
respectively. Claims 4, 7, 1 1, 14, 18, and 21 are patentable over the cited references because the 
combination of the Burrows reference with Farley and Drake would not reach the presently 
claimed invention. The features relied upon as being taught in the Farley and Drake references 

(Appeal Brief Page 13 of 23) 
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are not taught or suggested by those references, as argued in the response to the rejection of 

claims 1, 8, and 15 in section A.l above. As a result, a combination of these references would 

not reach the claimed invention in claims 4^ 7, 1 1 , 1 4, 1 8, and 2 1 . 

Furtfaemiore, claims 4^ 7, 11, 14^ 18, and 21 lecite additional subject matter not suggested 

by the Farley, Drake, or Burrows references. For instance, claims 7, 14, and 21 recite 

aggregating a subset of the event groups into a combined group. The Examiner points to the 

following passages in Farley and Burrows as teaching this feature: 

Referring now to Figure 5D, this Figure is a functional block diagram 
illustrating an exemplary Attack From Attacked Host (AFAH) computer security 
threat Figure 5D illustrates a computer incident source 503 with an Internet 
protocol address of L M . 1 sending an attack to host (attacked host) 505 that has 
an Internet protocol address of 2.2.2.2. The attack between the computer incident 
source 503 and the attacked host 505 may be characterized as a raw computer 
event L After being attacked, the attacked host 505 then sends another attack to a 
second host 507, having an Internet protocol address of 3.3.3.3. The attack 
between the attacked host 505 and the second host S07 may be characterized as a 
second raw event II. The second host 507 generates an attack on a third host 509, 
having an Internet protocol address of 4.4,4.4. Tlie attack between the second host 
507 and third host 509 tnay be characterized as a third raw event III. 

Farley, para [0079]. 

In one embodiment, the packet traffic monitor observes the network and 
thereby detects and localizes all broadcast packetsi traffic. Observing more than a 
predetermined number of broadcast packets within a predetermined time period 
implies that a broadcast storm is underway. It is likely that the packet is correctly 
addressed, and that knowing the source MAC address and the network topology 
will point to a particular port of a forwarding device, e.g., sAvitch port, to be 
disabled. In another embodiment^ the per-port broadcast ingress packet counters 
can be used to trace broadcast packets to tlieir source. This approach is used if the 
packet traffic monitor &ils at determining the source, possibly because of 
incorrectly formatted packets or because the misbehaving host has not been seen 
on the network before (unknown MAC address). This detection approach is less 
timely than the prior approach since the process of retrievbig these counters from 
the switch is extensive and it cannot be executed often. 

Burrows, para [0050], 

For example, the monitor can detect too many packets destined to an overloaded 
server, too many probe packets directed to a firewall or too many ARP request 
packets. 

Burrows, para [0046] line 10-11. 
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As can be seen from the cited paragraphs above, neither Farley nor Burrows mentions 
aggregating a subset of an event group into a combined event group, as recited in claims 7, 14, 
and 21. 

Accordingly, Appellants respectfully request the withdrawal of rejection of claims 4, 7, 
11, 14, 18, and 21 under 35 U.S.C § 103. 
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CLAIMS APPENDIX 

The t€xt of the claims involved in the appeal are: 

1 . A method in a data processing system for reporting security situations, comprising the 
steps of; 

logging events by storing event attributes as an event set, wherein eajch event set includes 
a source attribute, a target attribute and an event category attribute; 

classifying events as groups by aggregating events with at least one attribute within the 
event set as an identical value; 

calculating severity levels for the groups, wherein a severity level for a group is a 
function of a number of events comprising the group and values of common elements in the 
group; and 

reporting a group from the groups to a user as a situation, if a severity level of the group 
exceeds a threshold value. 

2. The method of claim 1 , wherein the severity levels are calculated based on at least one of 
the number of event sets within each of the groups, the source attribute of the event sets within 
each of the groups, the target attribute of the event sets within each of the groups, and the event 
category attribute of the event sets within each of the groups. 

3. The method of claim 1, wherein the events include at least one of a web server event, an 
electronic mail event, a Trojan horse^, denial of service, a virus, a network event, an 
authentication failure, and an access violation. 
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4. The method of claim 1, further comprising: 

calculating the threshold value based on at least one of the source attribute of the event 
sets within the group, the target attribute of the event sets within the groups the event category 
attribute in each event set of the group^ and the number of attributes in each event aet of the 
group that are held constant across all of the event sets in the group. 

5. The method of claim 1, wherein the target attribute represents one of a computer and a 
collection of computers. 

6. The method of claim 1 , wherein the source attribute represents one of a computer and a 
collection of coniputers . 

7. The method of claim 1, further comprising: 
aggregating a subset of the groups into a combined group. 

8. A computer program product in a computer readable medium for reporting security 
events, comprising instructions for: 

logging events by storing event attributes as an event set» wherein each event set includes 
a source attribute, a target attribute and an event category attribute; 

classifying events as groups by aggregating events with at Least one attribute within the 
event set as an identical value; 

calculating severity levels for the groups, wherein a severity level for a group is a 
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function of a number of events coxxiprising the group and values of common elements in the 
group; and 

reporting a group from the groups to a user as a situation, if a severity level of the group 
exceeds a threshold value. 

9, The computer program product of claim 8, wherein the severity levels are calculated 
based on at least one of the number of event sets within each of the groups I the source attribute 
of the event sets within each of the groups, the target attribute of the event seta witiun each of the 
groups, and the event category attribute of the event sets within each of the groups. 

10, The computer program product of claim 8, wherein the events Include at least one of a 
web server event, an electronic mail event, a Trojan horse, denial of service, a virus, a network 
event, an authentication failure, and an access violation, 

11, The computer program product of claim 8, comprising additional instructions for: 
calculating the threshold value based on at least one of the source attribute of the event 

sets within the group, the target attribute of the event sets within the group, the event categoiy 
attribute in each event set of the group, and the number of attributes in each event set of the 
group that are held constant across all of the event sets in the group. 

12, The computer program product of claim 8, wherein the target attribute represents one of a 
computer and a collection of computers, 
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13. The computer program product of claim 8, wherein the source attribute represents one of 
a computer and a collection of computers, 

14. The computer program prodxict of claim 8, comprising additional instructions for: 
aggregating a subset of the groups into a combined group. 

15. A data processing system for reporting security events, comprising: 
a bus system; 

a memory; 

a processing unit» wherein the processing xmit includes at least one processor; and 
a set of instructions within the memory, wherein the processing unit executes the set of 
instructions to perform the acts of: 

logging events by storing event attributes as an event set, wherein each event set 
includes a source attribute, a target attribute and an event category attribute; 

classifying events a& groups by aggregating events v^th at least one attribute 
within the event set as an identical value; 

calculating severity levels for the groups, wherein a severity level for a group is a 
ftinction of a number of events comprising the group and values of common elements in the 
group; and 

reporting a group from the groups to a user as a situation, if a severity level of the 
group exceeds a threshold value. 
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16. The data processing system of claim 15, wherein the severity levels are 
calculated based on at least one of the number of event sets within each of the groups, the 
source attribute of the event sets within each of the groups, the target attribute of the 
event sets within each of flae groups, and the event category attribute of the event sets 
within each of the groups, 

17. The data processing system of claim 15, wherein the events include at 
least one of a web server event, an electronic mail event, a Trojan horse, denial of 
service, a virus^ a network event, an authentication failure, and an access violation. 

18. The data processmg system of claim 15, wherein the processing unit 
executes the set of instructions to perform the act of: 

calculating the threshold value based on at least one of the source attribute of the 
event sets within the group, the target attribute of the event sets within the group, the 
event category attribute in each event set of the group, and the number of attributes in 
each event set of the group that are held constant across all of the ervent sets in the group. 

19. The data processing system of claim 15, wherein the target attribute represents one of a 
computer and a collection of computers. 

20. The data processing system of claim 15, wherein the source attribute represents one of a 
computer and a collection of computers. 
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2 1 . The data processing system of claim 1 5, wherein the processing imit execiJtes the set of 
insttoictions to perform the act of: 

aggregating a subset of the groups into a combined group. 
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EVIDENCE APPENDIX 
There is no evidence to be presented. 
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RELATED PROCEEDINGS APPENDIX 



There are no related proceedings. 
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